GNU bug report logs - #69858
[PATCH 1/2] services: dovecot: Prefer server ciphers by default.

Previous Next

Package: guix-patches;

Reported by: Herman Rimm <herman <at> rimm.ee>

Date: Sun, 17 Mar 2024 15:36:01 UTC

Severity: normal

Tags: patch

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Herman Rimm <herman <at> rimm.ee>
To: guix-patches <at> gnu.org
Cc: Herman Rimm <herman <at> rimm.ee>
Subject: [PATCH 1/2] services: dovecot: Prefer server ciphers by default.
Date: Sun, 17 Mar 2024 16:34:33 +0100

* gnu/services/mail.scm (dovecot-configuration): Add
'ssl-prefer-server-ciphers?' field.
* doc/guix.texi (Mail Services)[Dovecot Service]: Describe field.

Change-Id: I1ea7c53466ebc3b01082938b5d9dee47c683017d
---
 doc/guix.texi         | 5 +++++
 gnu/services/mail.scm | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index eca1cb3712..b58ed90b2f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26989,6 +26989,11 @@ Time to delay before replying to failed authentications.
 Defaults to @samp{"2 secs"}.
 @end deftypevr
 
+@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-prefer-server-ciphers?
+Prefer a server's allowed cipher list over own cipher list.
+Defaults to @samp{#t}.
+@end deftypevr
+
 @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert?
 Require a valid SSL client certificate or the authentication
 fails.
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index afe1bb6016..cd3f961094 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
 ;;; Copyright © 2023 Thomas Ieong <th.ieong <at> free.fr>
 ;;; Copyright © 2023 Saku Laesvuori <saku <at> laesvuori.fi>
+;;; Copyright © 2024 Herman Rimm <herman <at> rimm.ee>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1261,9 +1262,15 @@ (define-configuration dovecot-configuration
 intend to use @samp{ssl-verify-client-cert? #t}.  The file should
 contain the CA certificate(s) followed by the matching
 CRL(s).  (e.g. @samp{ssl-ca </etc/ssl/certs/ca.pem}).")
+
+  (ssl-prefer-server-ciphers?
+   (boolean #t)
+   "Prefer the server’s cipher list over a client’s cipher list.")
+
   (ssl-require-crl?
    (boolean #t)
    "Require that CRL check succeeds for client certificates.")
+
   (ssl-verify-client-cert?
    (boolean #f)
    "Request client to send a certificate.  If you also want to require
-- 
2.41.0
This bug report was last modified 1 year and 88 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.